Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

When you register for an account or use our services, we collect:

• Account Information: Name, email address, phone number, business name, ABN/ACN, business address, and trade type
• Profile Information: Business description, service areas, pricing preferences, and branding materials (logo, colors)
• Payment Information: Credit card details, bank account information, billing address, and transaction history (processed through third-party payment processors)
• Job Information: Customer names, contact details, job descriptions, site addresses, photos uploaded by customers or you, quotes, invoices, and job notes
• Team Information: Names, email addresses, roles, and permissions of team members you add to your account
• Communication Data: Messages sent through our platform, support requests, feedback, and survey responses

1.2 Information Collected Automatically

• Device Information: Browser type and version, operating system, device identifiers, screen resolution, and device model
• Log Data: IP address, access times, pages viewed, page response times, download errors, and referring URLs
• Location Data: Approximate geographic location derived from IP address, and precise location (with your consent) for service area mapping
• Usage Data: Features used, time spent on platform, interaction patterns, clicks, scrolls, and navigation paths
• Cookies and Similar Technologies: Session identifiers, preference settings, and authentication tokens (see Section 7 for details)

1.3 Information from Third Parties

• Payment Processors: Transaction confirmations, payment status, and fraud prevention data
• Calendly: Booking information when you schedule demos or appointments through our embedded calendar
• Xero (coming soon): Financial data synchronized with your accounting software when you connect Xero to your account
• Authentication Providers: If you use social login, we receive basic profile information from those services

2. How We Use Your Information

2.1 Service Delivery and Core Operations

• Create and manage your account and business profile
• Process and display smart intake form submissions from your customers
• Generate AI-powered quote suggestions based on job photos and descriptions
• Process payments, deposits, and invoices through integrated payment processors
• Enable job tracking, assignment, and team dispatch functionality
• Facilitate communication between you, your team, and your customers
• Provide customer portal access for feedback and job updates
• Send transactional emails via Resend (confirmations, notifications, receipts)

2.2 AI and Automated Processing

Important Disclosure: One Little Tool uses artificial intelligence and automated systems to analyze job-related data. Specifically:

• Image Analysis: Photos uploaded through intake forms are analyzed by AI to identify job requirements, materials needed, and suggested scope of work
• Quote Generation: AI processes job descriptions, photos, location data, and your historical pricing to suggest quote line items and pricing
• Text Processing: Customer messages and job descriptions are analyzed to extract key information and categorize job types
• Human Review: All AI-generated suggestions are reviewed and approved by you before being sent to customers. AI outputs are recommendations only and do not constitute binding quotes or commitments

2.3 Service Improvement and Development

• Analyze usage patterns to improve features and user experience
• Train and improve our AI models (using aggregated, anonymized data)
• Develop new products, features, and services
• Conduct research and analytics on service performance
• Test new functionality and troubleshoot technical issues

2.4 Communication and Support

• Respond to your inquiries, comments, and support requests
• Send important service announcements, updates, and technical notices
• Provide customer support and troubleshooting assistance
• Send promotional communications (with your consent, and you may opt out at any time)
• Request feedback and conduct surveys about our services

2.5 Security, Fraud Prevention, and Legal Compliance

• Detect, prevent, and respond to fraud, security incidents, and abuse
• Verify identity and authenticate accounts
• Enforce our Terms of Service and other policies
• Comply with legal obligations, court orders, and regulatory requirements
• Protect our rights, property, safety, and that of our users and the public
• Resolve disputes and investigate complaints

2.6 Legal Basis for Processing (GDPR)

For users in the European Economic Area, United Kingdom, or other jurisdictions with similar data protection laws, we process your personal data based on the following legal grounds:

• Contractual Necessity: Processing necessary to provide the services you requested (Account creation, job management, payment processing, AI quoting)
• Legitimate Interests: Processing necessary for our legitimate business interests (Service improvement, analytics, fraud prevention, customer support) while respecting your privacy rights
• Consent: Where you have provided explicit consent (Marketing communications, optional features, precise location data)
• Legal Obligation: Processing required to comply with applicable laws (Tax records, payment regulations, law enforcement requests)

3. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share your information only in the following circumstances:

3.1 Service Providers and Data Processors

We engage trusted third-party companies to perform services on our behalf. These service providers have access to your information only to perform specific tasks and are contractually obligated to protect your data:

• Email Service Provider: Resend (for transactional and notification emails)
• Payment Processors: Stripe, PayPal, or other PCI-compliant processors (for payment processing, we do not store full credit card details)
• Scheduling Service: Calendly (when you book demos or appointments)
• Cloud Hosting and Storage: AWS, Google Cloud, or similar providers (for data storage and infrastructure)
• AI and Machine Learning Services: OpenAI, Anthropic, or similar providers (for AI-powered features, with data encryption and confidentiality agreements)
• Analytics Providers: For usage analytics and service improvement
• Accounting Integration: Xero (when you choose to connect your Xero account, coming soon)

3.2 Business Transfers

If One Little Tool is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

3.3 Legal Requirements and Protection

We may disclose your information when required by law or in good faith belief that disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service and investigate potential violations
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or safety of One Little Tool, our users, or the public as required or permitted by law
• Respond to claims that content violates the rights of third parties

3.4 With Your Consent

We may share your information with third parties when you give us explicit consent to do so, such as when you authorize integrations with other business tools or share job information with specific parties.

3.5 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you individually for industry analysis, demographic profiling, marketing, and other business purposes. For example, we may share statistics about tradie usage patterns or AI quoting accuracy rates.

4. Data Retention and Deletion

4.1 Retention Periods

We retain your personal information for as long as necessary to provide services and fulfill the purposes outlined in this policy:

• Active Accounts: Account and profile information retained while your account is active
• Job Records: Job data, quotes, invoices retained for 7 years for tax and legal compliance purposes
• Payment Records: Transaction records retained for 7 years to comply with financial regulations
• Communications: Support emails and messages retained for 3 years for quality assurance and dispute resolution
• Log Data: Server logs and usage data retained for 12 months for security and analytics
• Marketing Data: Email marketing lists retained until you unsubscribe, plus 2 years to honor opt-out requests

4.2 Account Deletion

When you delete your account or request deletion of your data:

• We will delete or anonymize your personal information within 30 days, except where retention is required by law
• Some information may be retained in backup systems for up to 90 days before permanent deletion
• Financial records may be retained for up to 7 years for tax and legal compliance
• Aggregated, anonymized data derived from your usage may be retained indefinitely
• We will notify third-party processors to delete your information where applicable

5. Data Security

We implement comprehensive security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction:

5.1 Technical Safeguards

• Encryption: All data transmitted between your device and our servers is encrypted using industry-standard TLS/SSL protocols
• Data at Rest: Sensitive data is encrypted in our databases using AES-256 encryption
• Secure Infrastructure: Hosted on secure, SOC 2 compliant cloud infrastructure with redundancy and backups
• Access Controls: Multi-factor authentication, role-based access, and principle of least privilege for our team
• Payment Security: Payment card data is handled by PCI DSS compliant payment processors; we do not store full card details
• Regular Updates: Security patches and software updates applied promptly

5.2 Organizational Safeguards

• Background checks for employees with access to customer data
• Confidentiality agreements and privacy training for all staff
• Regular security audits and vulnerability assessments
• Incident response plan for data breach scenarios
• Vendor security assessments for all third-party processors

5.3 Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify you within 72 hours of discovering the breach (or as required by applicable law). The notification will include the nature of the breach, types of information affected, steps we are taking to address it, and recommended actions you should take to protect yourself. Notifications will be sent via email to your registered email address and posted on our website.

5.4 Your Security Responsibilities

While we implement strong security measures, you also play a critical role in protecting your information:

• Choose a strong, unique password and do not share it with others
• Enable multi-factor authentication when available
• Log out of your account when using shared or public devices
• Report any unauthorized access or suspicious activity immediately
• Keep your contact information up to date so we can reach you about security issues

Important: No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

6. Your Privacy Rights

You have significant rights regarding your personal information. The specific rights available to you may depend on your location:

6.1 Rights Available to All Users

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Data Portability: Request your data in a structured, machine-readable format (JSON or CSV)
• Opt-Out of Marketing: Unsubscribe from promotional emails at any time via the unsubscribe link
• Account Settings: Update your preferences and profile information directly in your account

6.2 Additional Rights for GDPR (EU/UK Users)

• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Restrict Processing: Request restriction of processing in certain circumstances
• Right to Withdraw Consent: Withdraw consent at any time (without affecting prior lawful processing)
• Right to Lodge a Complaint: File a complaint with your local data protection authority
• Right to Not Be Subject to Automated Decision-Making: Request human review of AI-generated decisions that have legal or significant effects

6.3 Additional Rights for CCPA/CPRA (California Users)

• Right to Know: Know what personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of personal information (with certain exceptions)
• Right to Opt-Out: Opt-out of "sale" or "sharing" of personal information (Note: We do not sell personal information)
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use: Limit the use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not be discriminated against for exercising these rights

6.4 Additional Rights for Australian Users (Privacy Act)

• Access to Information: Request access to your personal information we hold
• Correction: Request correction of inaccurate information
• Complaint Process: Lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC)
• Overseas Disclosure: Be informed when your information is disclosed overseas

6.5 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@onelittletool.com
• Subject Line: "Privacy Rights Request - [Your Right]"
• Include: Your name, email address, account details, and specific request

We will respond to verified requests within 30 days (or as required by applicable law). We may request additional information to verify your identity before processing your request. There is no charge for reasonable requests, but we may charge a fee for repetitive, excessive, or manifestly unfounded requests.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and deliver personalized content.

7.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for site operation, authentication, and security. These cannot be disabled as the platform would not function properly. (Session cookies, authentication tokens, security cookies)
• Functional Cookies: Remember your preferences and settings. (Language preference, display mode, form auto-fill)
• Analytics Cookies: Help us understand how you use our platform to improve features and performance. (Page views, feature usage, error tracking, session duration)
• Marketing Cookies: Track your activity across websites to deliver relevant advertising and measure campaign effectiveness. (Only used with your consent)

7.2 Third-Party Cookies

Some third-party services may set cookies when you use our platform:

• Calendly: When you interact with our booking widget
• Payment Processors: For fraud prevention and transaction processing
• Analytics Providers: To help us understand user behavior

7.3 Cookie Duration

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Remain on your device for a set period (typically 30 days to 2 years) or until you delete them

7.4 Managing Cookies

You can control and manage cookies in several ways:

• Browser Settings: Most browsers allow you to block or delete cookies through settings
• Opt-Out Tools: Use industry opt-out tools like the Network Advertising Initiative opt-out page
• Do Not Track: We honor Do Not Track (DNT) signals from your browser
• Cookie Preferences: Manage your preferences through our cookie consent banner (appears on first visit)

Note: Blocking or deleting certain cookies may impact platform functionality and your user experience.

8. International Data Transfers

One Little Tool is based in Australia. If you access our services from outside Australia, please be aware that your information may be transferred to, stored, and processed in Australia or other countries where our service providers operate.

When we transfer personal data from the European Economic Area, United Kingdom, or Switzerland to countries that do not provide an adequate level of data protection, we implement appropriate safeguards such as:

• Standard Contractual Clauses approved by the European Commission
• Ensuring service providers are certified under relevant frameworks
• Obtaining your explicit consent where required
• Implementing additional technical and organizational security measures

9. Children's Privacy

One Little Tool is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@onelittletool.com. If we discover we have collected information from a child under 18 without parental consent, we will delete that information promptly.

Our services are designed for trade professionals conducting business activities. All users must be at least 18 years old and legally able to enter into contracts.

10. Links to Third-Party Websites

Our platform may contain links to third-party websites, services, or integrations (such as Calendly, Xero, payment processors). This Privacy Policy applies only to One Little Tool. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit.

When you connect third-party services to your One Little Tool account, those services may collect, use, and share your data according to their own privacy policies.

11. Your Customer Data Responsibilities

Important: As a One Little Tool user, you act as a data controller when you collect personal information from your customers through our platform. You are responsible for:

• Obtaining necessary consents from your customers before collecting their personal information
• Providing your customers with appropriate privacy notices about your data collection practices
• Complying with applicable privacy laws in your jurisdiction (including Australian Privacy Principles, GDPR, CCPA, etc.)
• Ensuring you have a lawful basis for processing customer data
• Honoring your customers' privacy rights (access, deletion, correction requests)
• Using customer data only for legitimate business purposes
• Maintaining appropriate security for customer data you collect

One Little Tool acts as a data processor when handling customer data on your behalf. We will process this data only according to your instructions and this Privacy Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email if changes are material or significantly affect your rights
• Post a prominent notice on our website or within the platform
• For significant changes, provide at least 30 days notice before the changes take effect

Your continued use of our services after the effective date of any changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should discontinue use and may request deletion of your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Data Protection Officer and Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

For Australian Users

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

For EU/UK Users

You have the right to lodge a complaint with your local data protection authority or the Information Commissioner's Office (ICO) in the UK:

• Website: ico.org.uk
• Phone: 0303 123 1113

For California Users

You may contact the California Attorney General's office regarding privacy concerns:

• Website: oag.ca.gov/privacy
• Phone: (916) 210-6276